Active Directory UDF - Help & Support

[water]

You are using the "old" Active Directory UDF "adfunctions.au3".

Please have a look at my signature or load the "new" UDF from the first page of this thread. The "new" UDF is the successor of the original script plus a lot of enhancements.

The function names have changed a bit: _ADx is now _AD_x and a _AD_Open() is required at the start of the skript.

I will be glad to help you with any problems you have with the "new" UDF.

At the moment I'm not at my windows PC but tomorow I will have a look at your script.

[water]

With the "new" AD UDF your script could look like:

#include <ad.au3>
#include <array.au3>

Global $OU = "ou=Yellow,ou=Groups,dc=net,dc=local"
Global $aGroups, $aGroupMembers

_AD_Open()
$aGroups = _AD_GetObjectsInOU($OU, "(objectcategory=group)", 1)
ConsoleWrite(@error & @CRLF)
ConsoleWrite("--- Found " & $aGroups[0] & " groups to process" & @CRLF)

;alphabetically sort array
_ArraySort($aGroups, 0, 1)

For $i = 1 To $aGroups[0]
    ;do stuff against each
    ;get group group membership
    $aGroupMembers = _AD_GetGroupMemberOf($aGroups[$i])
    ConsoleWrite("----- found: " & $aGroupMembers[0] & " groups" & @CRLF)
    ;do stuff against each
    For $d = 1 To $aGroupMembers[0]
        ConsoleWrite("------ check:" & $aGroupMembers[$d] & @CRLF)
    Next
Next
_AD_Close()

Edited March 31, 2011 by water

[zac]

thanks a lot, I'll give that a try

[zac]

brilliant this works, thanks again

[water]

Glad it works

[kor]

_AD_AddUserToGroup doesn't seem to work when the shell isn't loaded.

I am attempting to add a computer to a group during the runonce, however it is never getting added. If I run the exact same code after the XP shell has loaded the script runs fine.

[water]

_AD_AddUserToGroup doesn't do anything special. I suspect that _AD_Open already gives you an error.

Could you please do some error checking and write the return value, @error and @extended of every _AD_xx statement to a file?

[kor]

It wouldn't be in every function since I'm also calling JoinToDomain before the shell loads and that works fine. But right after I join to the domain I attempt to add the newly joined computer to specific groups which fails.

[water]

_AD_JoinDomain is an untypical function as it uses WMI to join the computer and only a single AD function to check if the computer already exists in the domain.

What error do you get when you call _AD_AddUserToGroup?

Are you sure the user (System Account) has the proper permissions on the AD?

[kor]

_AD_JoinDomain is an untypical function as it uses WMI to join the computer and only a single AD function to check if the computer already exists in the domain.

What error do you get when you call _AD_AddUserToGroup?

Are you sure the user (System Account) has the proper permissions on the AD?

I've worked around the problem by just calling the addtogroups function after the shell loads. I am certain I have the permissions because I'm running the exact same code before and after the shell runs, logging into AD with the same username and password.

I had a deadline to get the code done and it's finished, but just as an FYI you might want to test your function to see what is going on because it's erroring out if no shell is present.

[water]

Would you be so kind to strip down your script to just the following and let it run before the shell is loaded?

I only have readonly access to our AD and therefore can't test the problem.

$iAD_Debug = 3
_AD_Open()
_AD_AddUserToGroup(...)

This should create AD_Debug.txt in the directory where the script is located.

[water]

Version 1.0.0 has been released.

Please test before using in production!

For download please see my signature.

[z3r0c00l12]

Hi Water,

I had a quick question, I'm working on a small project, and wanted to limit certain functions of the script by checking if the user is part of a group in AD. I tried _AD_IsMemberOf, which works correctly except with "Domain Users", I saw a few other people reported this, "Domain Users" has every user of the domain in it, yet it always returns 0, I haven't had a chance to test the solution you already posted though. Anyways, the problem I encountered is that the specific group I am querying doesn't contain users directly, they are rather nested groups since it is a large organization (30,000+).

So we have something that goes like:

Group-All, which contains

-Group-1

-Group-2

-Group-3

...

-Group-8

and within each group, some more groups which contain the users itself, like Group-1A.

So when a query is done like _AD_IsMemberOf("Group-All","User") it returns 0 even though User is part of Group-1A.

I wanted to know if there is an easy way of doing this recursive search in a single function?

Thank you.

[water]

Hi z3r0c00l12,

there is no recursive _AD_IsMemberOf available.

But you can check the membership the other way round. _AD_GetGroupMemberOf returns an array of every group the user is a member of (primary group is excluded. But can be queried using _AD_GetPrimaryGroup). Check the array if the required group is there.

[netegg]

hi water,

i try the udf for the password complexity, but i was too fool to work out. would you like to give some idea?

[water]

Hi netegg,

the hex values for the password properties can be found here. The properties are read only because - as fas as I know - they are set by group policies.

It's a bit field so you have to use bit operations to check if one of the flags is set.

Global Const $DOMAIN_PASSWORD_COMPLEX = 0x00000001
Global $aTemp = _AD_GetPasswordInfo()
If Bitand($aTemp[12], $DOMAIN_PASSWORD_COMPLEX) = $DOMAIN_PASSWORD_COMPLEX Then MsgBox(16, "Passwort Complexity", "Password Complexity is set")

[ICANSEEYOU7687]

Quick question, I am running

Global $iResult = _AD_GetObjectsInOU($sOU, "(name=*)", 0, "sAMAccountName,distinguishedName,displayname", "", True)

and I am getting the correct result, but I am getting a lot of accounts that I dont see in AD, or ADExplorer that do not have account names. Is there an easy way to filter this so I only get a list of users with accounts names?

Thanks!

[water]

Have a quick look at the _AD_GetObjectsInOU example script. For better performance and filtering use objectcategory and objectclass.

Your code listed everything that had a name (users, computers, groups ...)

$iResult = _AD_GetObjectsInOU($sOU, "(&(objectcategory=person)(objectclass=user))", 2, "sAMAccountName,distinguishedName,displayname", "displayname", True)

[ICANSEEYOU7687]

Have a quick look at the _AD_GetObjectsInOU example script. For better performance and filtering use objectcategory and objectclass.

Your code listed everything that had a name (users, computers, groups ...)

$iResult = _AD_GetObjectsInOU($sOU, "(&(objectcategory=person)(objectclass=user))", 2, "sAMAccountName,distinguishedName,displayname", "displayname", True)

Thanks for the fast reply, im still getting a lot of accounts without user names listed. Its strange, because these accounts (without user names) do not appear in Active Directory or AD Explorer. I think something funny might be going on.

[water]

Can you post the distinguished name of such an item?